Closed Jurij-Ivastsuk closed 4 months ago
mikebeaton
commented
5 months ago It sounds like you need to sign shim yourself (with a different certificate) and then add that certificate (but not your vendor cert, since that's only meant to work for things loaded by shim) to the firmware SB db allow list.
Jurij-Ivastsuk
commented
5 months ago @mikebeaton Thank you very much ! Is that the only way? Can you give me a hint, which linux-tools can I use to add a test-certificate to db?
mikebeaton
commented
5 months ago KeyTool.efi which is included in the efitools package, or your BIOS may have a section for adding/appending to this from files stored on the ESP.
Jurij-Ivastsuk
commented
5 months ago @mikebeaton Thank you very much!
Hi all, what is the best way to test if Shim works with the integrated vendor certificate, assuming you don't have a Microsoft certificate yet and secure boot is enabled.